Hacker code could unleash Windows worm

A hacker group released code designed to exploit a widespread Windows flaw, paving the way for a major worm attack as soon as this weekend, security researchers warned.
The warning came Friday, after hackers from the Chinese X Focus security group forwarded source code to several public security lists. The code is for a program designed to allow an intruder to enter Windows computers.

The X Focus program takes advantage of a hole in the Microsoft operating system that lets attackers break in remotely. The flaw has been characterized by some security experts as the most widespread ever found in Windows.

"An exploit (program) like this is very easy to turn into a worm," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security. "I wouldn't be surprised if we see a worm sooner rather than later."

While many security researchers believe the publication of such information can encourage security personnel in businesses to patch holes faster, the release of exploit code has typically preceded the largest worm attacks of the past few years.

Maiffret and other security researchers worried that next week's Defcon hacker conference in Las Vegas will act as a catalyst and spur a malicious hacker to create and release such a worm.

In January, the Slammer worm spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be canceled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.

Maiffret is quite familiar with how exploits and explicit details about vulnerabilities can be turned into malicious code. In June 2001, his company released details of another Microsoft flaw, in a component of Web server software. A month later, the flaw became the mechanism by which the Code Red worm spread.

Release tension
Maiffret, who doesn't support the release of exploit code, points to the X Focus notice as proof that exploits can be created without explicit details in the advisory. Few details were available to hackers and security researchers about the Windows flaw it was based on, but the exploit program was created quickly nevertheless.

Jeff Jones, senior director for Microsoft's Trustworthy Computing initiative, took the creators of the code to task, saying that the release of a program to exploit a specific vulnerability doesn't help make companies more secure.

"We believe publication of exploit code in cases like this is not good for customers," he said. Jones hinted that Microsoft may attempt to identify the issuer of a worm and to take legal action against the culprit. "While the release of exploits are protected in the United States under the First Amendment, intentional use of that code to cause damage is criminal."

Microsoft released details of the exploited vulnerability on July 16. The flaw is in a component of the operating system that allows other computers to request the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates such activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.

The Chinese code worked on only three variants of Windows, but could show knowledgeable hackers how to take advantage of the flaw.

'So I fixed it'
HD Moore, a security researcher and the founder of the Metasploit Project, has done just that. A well-known hacker and programmer of security code, Moore has taken the Chinese code and improved it. Now the code works for at least seven versions of the operating system, including Windows 2000 Service Pack 0 to Service Pack 4 and Windows XP Service Pack 0 and Service Pack 1.

"I don't like broken exploits, so I fixed it," he said.

Moore posted his improved code for the program to a Web site hosted on his home network and found an unexpected amount of interest in the program. After other security researchers became aware of the code, Moore's site started receiving 300 to 400 download requests every second, taking down his cable modem connection. He planned to move the site to a hosting provider later this weekend.

Moore also believed that the code could easily be turned into a worm.

"This is probably the most widespread vulnerability that lets you get remote root," he said. "It's almost guaranteed to be turned into a worm." Remote root is a security term for the ability to take control of a computer over the Internet.

The prospect has financial companies worried, said another security researcher, who asked not to be named. The companies have had only two weeks to evaluate the Microsoft patch and apply it--an impossible task for chronically overworked network administrators.

"It's a huge problem, because they haven't had time," said the researcher. "It takes weeks to remediate a whole Class-B (about 65,000 addresses) network."

And even companies that have patched all the flaws and taken prescriptive measures to harden their firewalls have to be sure they haven't missed anything, said eEye's Maiffret.

"This is going to be something like the SQL Slammer worm," he said. "It won't affect the outside networks (such as the Internet); it's going to affect the inside networks. All it takes is one server to get infected. You think it (was) bad when your database servers went down. This will take those servers and every other computer down as well."